Your E and O Won’t Cover HIPAA HITECH Fines

I had a long conversation yesterday with a friend on the P&C side of the business and she has been researching whether a broker’s E&O policy could cover fines and penalties under HIPAA HITECH.

From all her research with E&O carriers there is no coverage. Since an E&O insurer cannot gauge the risk nor police the degree to which a broker is compliant with the privacy and security rules they will not insure it.

So put another way your firm is naked from a risk management perspective in terms of its insurance cover.

HIPAA HITECH is not some toothless DOL or ERISA law nor the HIPAA of 2003. WHY?

HHS is going to use fines to fund enforcement,

The state Attorneys General keep a portion of any fines they levy

There is a “tip line” setup and any whistleblower get to keep a portion of any fines they help create

What is your risk? Lets start with the reputational risk alone

A new “Tattle”rule requires BA’s to report their CE’s (clients and carriers) breaches

Local media notification is mandatory if a breach involves 500 or more lives

allow the state Attorneys General to take legal action on privacy/security violations. CT took the first action against Health Net last week.

Establish new criminal and civil penalties for noncompliance that apply to BA’s as well

Violation

Penalty/Violation

Maximum per Year

Tier A – Did not Know

100

25,000

Tier B – Reasonable cause, not willful neglect

$1,000

100,000

Tier C – “Willful Neglect”, corrected

$10,000

$250,000

Tier D – “Willful Neglect”, uncorrected

$50,000

$1,500,000

So your organization’s only defense against HIPAA HITECH penalties and reputational risk is to get compliant, stay compliant and be sure to encrypt your email when transmitting PHI.